Develop Your Cybersecurity Skill Set

Learning Objectives

After completing this unit, you’ll be able to:

Explain the importance of technical and nontechnical cybersecurity skills, roles, and certifications.
Discuss the value and applicability of business skills in cybersecurity roles.

Technical and Nontechnical Roles

While the word “cybersecurity” sometimes immediately brings to mind complex coding and advanced technical skills, there’s a lot more to the field than is commonly understood. Cybersecurity is a field that balances two distinct but equally critical components: technical and nontechnical roles. Technical roles often steal the spotlight, with their direct engagement in resolving complex coding challenges and fighting cyber threats. But nontechnical roles, which focus more on strategic planning, policy development, and security auditing, play a very important part in the cybersecurity field.

Technical and nontechnical roles collaborate to build a strong system of security controls, broadly classified into three categories: administrative, technical, and operational.

Administrative controls (also known as management controls) are the written policies and procedures that an organization’s management develops and implements to guide the secure operation and use of systems. Examples include security policies, personnel screening procedures, and security training programs.
Technical controls (also known as physical and logical controls) are implemented using hardware and software to protect the organization’s physical and digital systems and data. Examples include access controls, firewalls, and encryption.
Operational controls are the day-to-day procedures and mechanisms used to protect systems and data. Examples include backup procedures, incident response procedures, security awareness training, and maintenance routines.

Technical roles are primarily responsible for the implementation and maintenance of technical controls while nontechnical roles are typically responsible for the development and implementation of administrative and operational controls.

In the following table, you’ll see how technical and nontechnical roles work in harmony to establish a comprehensive set of controls that address security from all angles—people, processes, and technology—forming an effective defense against threats.

Security Control Category and Sample Security Controls	Sample Roles to Implement the Controls	Key Skills Typically Required to Implement the Controls
Administrative (for example, access control policies, security awareness training, background checks, incident response plans)	Chief information security officer (CISO) Security control assessor (SCA) Cybersecurity policy analyst Security awareness manager Cybersecurity consultant Risk analyst	Risk management, strategic planning, user access management, insider threat analysis, technical writing, audit, and compliance
Technical (for example, firewalls, encryption tools, intrusion detection systems)	System administrator Network security specialist Penetration tester/ethical hacker	Networking, troubleshooting, penetration testing, threat hunting, monitoring, reporting
Operational (for example, system backups, contingency planning, user agreements)	Security administrator Incident response specialist IT operations manager Business information security officer (BISO)	Incident management, policy development, project management, compliance, strategic planning, business acumen, reporting

Understanding the distinctions between these security control categories—and the different roles and skills typically required—can provide a more nuanced view of the cybersecurity landscape. Each role is critical in building and maintaining a strong cybersecurity posture.

Technical roles and certifications

Let’s turn our attention to some examples of cybersecurity roles and the related certifications that can help demonstrate competence in those roles. Note that the importance of these or other certifications can vary depending on the specific requirements of a given role or employer.

Role	Typical Certifications
Cybersecurity architect: Create enterprise information security architecture that aligns business strategy and information security.	Certified Information Systems Auditor (CISA) Certified Information Systems Security Professional (CISSP) CISSP-Information Systems Security Architecture Professional (ISSAP) Project Management Professional (PMP)
Network security engineer: Safeguard computer networks by identifying network vulnerabilities, implementing network protections, and detecting intrusions.	CISSP CompTIA Network+ CompTIA Security+ Cisco Certified Network Associate (CCNA) Certified Cloud Security Professional (CCSP)
Penetration tester/ethical hacker: Help organizations identify, test, and resolve security vulnerabilities affecting their digital assets and computer systems and networks.	Certified Ethical Hacker (CEH) Offensive Security Certified Professional (OSCP) Licensed Penetration Tester (LPT) CompTIA PenTest+ GIAC Penetration Tester (GPEN)
Application security engineer: Assess applications throughout the software development lifecycle to ensure they are designed and built securely.	OSCP CompTIA Security+ GIAC Web Application Penetration Tester (GWAPT) Certified Secure Software Lifecycle Professional (CSSLP) Certified Application Security Engineer (CASE)
Cloud security engineer: Ensure the operations of secure cloud infrastructure and software by building and updating cloud networks and systems.	CCSP CISSP Amazon Web Services (AWS) Certified Security - Specialty Google Professional Cloud Security Engineer Certificate of Cloud Security Knowledge (CCSK)
Threat intelligence analyst: Identify threats through intelligence analysis and support incident response and forensics efforts.	CISSP Certificate Threat Intelligence Analyst (CTIA) Certified Incident Handling Engineer (CIHE) GIAC Cyber Threat Intelligence (GCTI)

A person laying bricks, with some bricks labeled: PMP, Network+, CGRC, CISM, OSCP, Security+,CISSP, CCISO.

Nontechnical roles and certifications

Similar to the technical roles, let’s take a look at relevant certifications for nontechnical roles.

Role	Typical Certifications
Cybersecurity leader: Manage teams and oversee business and technology activities in security-related matters.	CISSP Certified Chief Information Security Officer (CCISO) Certified in the Governance of Enterprise IT (CGEIT)
Cybersecurity compliance analyst: Protect businesses and consumers from breaches by helping them follow security laws, regulations, standards, and policies.	CISSP Certified Information Security Manager (CISM) CISA CompTIA Security+ Certified in Governance, Risk and Compliance (CGRC)
Cybersecurity risk manager: Protect digital business assets by managing risks including identifying, assessing, and mitigating risks to systems and networks.	CISSP CISM Certified in Risk and Information Systems Control (CRISC) CISA
Security awareness specialist: Develop learning and awareness programs to create a culture of cybersecurity within an organization.	CGRC CISM CompTIA Security+ ISO/IEC 27001 Certified Training Practitioner (CTP) Association for Talent Development (ATD) Instructional Design Certificate
Cybersecurity project manager: Develop and manage IT project plans including tasks, milestones, status, and allocation of resources.	CISSP CISM PMP Certified Project Manager (CPM) Certified ScrumMaster (CSM) PRINCE2 Project Manager
Business information security officer (BISO): Align business goals with security initiatives, ensuring that operational controls are both effective and do not unduly hinder work performance objectives and organizational mission accomplishment.	CISM CISSP CRISC CGEIT PMP Master of business administration (MBA) (An MBA or similar business degree, while not a certification, can benefit a BISO role by aiding in aligning cybersecurity strategies with business operations.)
Cybersecurity sales specialist: Market and sell cybersecurity products and services.	CISSP CompTIA Security+ Splunk certification (or other certification specific to the cybersecurity solution being marketed/sold) A formal degree or certifications in business, marketing, or a related field can also be advantageous in this role (for example, Certified Professional Sales Person [CPSP], Online Marketing Certified Professional [OMCP] Digital Marketing Certification)

Numerous resources provide free or affordable cybersecurity training to prepare you for certifications. Trailhead offers a Cybersecurity Career Path that provides guided learning paths to gain essential cybersecurity knowledge and skills. The Global Cyber Alliance (GCA) also offers Cybersecurity Toolkits, with free, actionable tools that can help you improve your cybersecurity readiness. The National Institute of Standards and Technology (NIST) also provides a list of free and low cost cybersecurity learning content. Finally, Fortinet, a global leader in cybersecurity solutions, offers an extensive free curriculum through the Fortinet Training Institute.

The Value of Business Skills in Cybersecurity

In the cybersecurity field, both technical and nontechnical abilities are referred to as “hard” skills, forming the bedrock of a professional’s expertise. It’s important to distinguish these from business skills (sometimes referred to as “soft” or “interpersonal” skills). While the hard skills provide the domain-specific knowledge and competencies needed in cybersecurity, business skills act as a binding agent, enhancing and connecting these technical and nontechnical capabilities. Business skills significantly impact a cybersecurity professional’s overall effectiveness in their role. They complement and amplify technical and nontechnical skills while expanding workforce potential.

Scenario

Let's imagine a cybersecurity professional named Mike who is a master of his trade. He excels in both technical (digital forensics, threat intelligence) and nontechnical (cybersecurity policies, risk assessments) skills. However, when a serious cyber attack hits his company, his lack of business skills hampers the response.

Despite his ability to identify and mitigate the breach, Mike’s communication with his team is confusing, which causes unnecessary alarm. He struggles to clearly convey the situation to senior management, which impedes effective decision-making. His poor teamwork skills and lack of empathy create a tense environment, which affects team productivity and morale.

In this case, Mike's proficiency in technical and nontechnical skills wasn’t enough for an effective incident response. His lack of strong business skills led to communication issues, low morale, and less coordinated response efforts, underlining the importance of business skills in cybersecurity.

Certain business skills stand out for their value in the cybersecurity domain, including:

Problem-solving: This skill is at the heart of cybersecurity, with professionals regularly identifying vulnerabilities, investigating breaches, and devising fixes.
Integrity: Given the sensitive nature of data and systems, it’s vital to be trustworthy and uphold ethical standards.
Leadership: Many roles involve not only leading teams, making critical decisions, and taking responsibility for projects and outcomes, but also driving change, developing new strategies, and fostering a culture that encourages creative problem-solving to tackle complex cybersecurity challenges.
Communication: Explaining complex security concepts to nonexperts is a common requirement, which requires clear, effective communication.
Teamwork: Maintaining security is a collective effort, so the ability to collaborate well is important.
Resilience: The ability to rebound from setbacks and challenges is a key skill in a field where threats constantly evolve.
Adaptability: Cybersecurity’s landscape changes swiftly, which demands professionals who can adapt and learn quickly.
Analytical thinking: Analyzing intricate systems and patterns to spot potential vulnerabilities and attacks is a core part of the job.
Empathy/compassion: Understanding the perspectives and concerns of users and even adversaries is crucial, guiding the design of user-friendly security measures and enabling effective threat assessment.
Coachability: The commitment to continuous learning and openness to feedback is vital in this rapidly advancing field.

The economic value of business skills

Studies from institutions such as Harvard University, the Carnegie Foundation, and the Stanford Research Center have collectively highlighted the paramount importance of business and interpersonal skills in job performance. According to their research, 85% of job success is due to strong people skills, while only 15% is due to technical skills and knowledge.

There are several ways to develop and practice business skills, including:

Education and training: Enroll in relevant courses or workshops that focus on development of communication, leadership, problem-solving, or other relevant skills. Online platforms such as Coursera, Udemy, YouTube, and LinkedIn Learning offer a wide range of courses in these areas.
Experience and practice: Take on roles or projects where you can exercise these skills, because the best way to improve business skills is through practice. For instance, taking the lead on a project can help develop leadership skills, while working as part of a team can improve collaboration and communication skills.
Feedback and self-reflection: Request feedback from colleagues, mentors, or supervisors. This can provide valuable insights into areas of improvement. Self-reflection, identifying strengths and areas for growth, and setting personal development goals are also beneficial.
Mentorship and coaching: Find a mentor or hire a coach. This can help you understand the practical applications of business skills in your role.
Networking: Join professional associations, attend industry events, and engage in discussions. This can offer opportunities to observe and learn business skills from others.
Reading and self-study: Dig into books, articles, and podcasts on topics such as emotional intelligence, leadership, and communication. These can be great sources of self-paced learning.

A diverse skill set within cybersecurity teams is essential for success. Each team member brings a unique perspective to the table, which is crucial when facing complex challenges. A well-rounded cybersecurity professional possesses a blend of technical, nontechnical, and business skills. This enables them to collaborate effectively with teams and stakeholders, manage stressful situations, and drive the organization’s cybersecurity agenda. Prioritizing this holistic approach in professional development leads to more successful careers and resilient organizations in the face of evolving cyber threats.

Practice

Let’s review a practical exercise to apply your understanding of cybersecurity skills and certifications.

Activity Description: This exercise involves a dynamic role-play scenario, where you will use your business skills in tandem with your technical and nontechnical skills to navigate a cybersecurity situation.

Form a group and assign different roles that commonly exist within a cybersecurity team (such as a cybersecurity leader, threat intelligence analyst, or cybersecurity project manager).
Together, create a scenario that involves a cybersecurity challenge that requires the engagement and collaboration of all assigned roles. For example:
1. Data breach: Sensitive customer data has been leaked. The team must identify the breach source, manage damage control, notify customers, and improve future security.
2. Phishing attack: Employees have fallen for phishing emails. The team must limit potential damage, educate employees, and prevent similar incidents.
3. Insider threat: There’s evidence of an employee intentionally causing security issues. The team must investigate, manage the employee situation, and enhance access controls and monitoring.
4. Ransomware attack: The company’s systems are infected with ransomware, with locked files and a ransom demand. The team must respond to the attack, decide on negotiations, and work on system and data restoration.
Discuss and strategize on how to employ your respective business skills (such as communication, teamwork, empathy, adaptability, problem-solving, etc.) within your assigned roles to address the challenge.
Act out the scenario, actively integrating your business skills with your technical and nontechnical skills in your decision-making process.
After the role-play, hold a group discussion on how the integration of business skills aided in managing the situation and how it could improve in the future.

Skills Used: Collaboration, role-playing, application of business skills, problem-solving, reflection, communication

In this unit, we’ve delved into the importance of both technical and nontechnical skills in various cybersecurity roles, and how obtaining relevant certifications can amplify your capabilities. We’ve also highlighted the vital role of business skills, such as leadership, communication, and empathy, in enhancing a cybersecurity professional’s efficacy. In the next unit, we will focus on ways to harness these skills and certifications to drive innovation and progress in your cybersecurity journey.

Knowledge Check

Ready to review what you’ve learned? In this module, you’ve been introduced to technical, nontechnical, and business skills. You’ve learned which technical and nontechnical certifications are typical of certain cybersecurity roles and how to practice these skills in a cybersecurity scenario. Before moving to the next unit, let’s check your understanding of the previous content.

The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching category on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.

Great work! Now that we’ve reviewed information from the previous units, let’s see what it takes to innovate and grow in your cybersecurity career.